TTM4137: Informasjonssikkerhet i trådløse nett

Intro

This is the questions for the 2017 exams. 50% of the exam will be a subset of these questions.
The regular questions + answers can be found in the urn of questions section. (tip: control+f to search).
Questions and answers are currently under construction, press edit to help answer.
Answers in bold are word-for word correct answers to the questions from previous exams.

Acronyms

EPS

Evolved Packet System

4G

HSS

Home Subscriber Server

A central database that contains user-related and subscription-related information

Which of the following is a security concern with Windows 10 Wi-Fi Sense?

Some issues are that you may not trust all your contacts on skype, outlook and facebook. Also, when you give an actual key to someone, they might carelessly share this with all of their friends.

What is required to spoof a de-registration message in user de-registration request spoofing?

WEP

How are the fragmentation and chopchop attacks different from the PTW attack?

Chopchop attacks allows you to decrypt packages without knowing the key, and exploits IV reuse. PTW helps find the key

How does initialization vector (IV) reuse compromise confidentiality?

When you have two identical IVs you can XOR the two encrypted messages and get the two XOR-ed plaintexts. If you then know some parts of the plaintext that is always the same (based on protocol this can be e.g. header fields with the IP-address etc) you can guess the actual plaintexts.

How does the integrity check value (ICV) in WEP protect against message modification?

It computes a checksum of the data that is to be transmitted, and encrypts this checksum with the data. However, it is possible to flip bits in both data and ICV.

How does WEP provide replay protection?

WEP does not provide replay protection

How is the integrity check value (ICV) in WEP computed?

By using a cyclic redundancy check

How long is the integrity check value (ICV) in WEP?

4 bytes.

How many messages are exchanged in the WEP shared key authentication?

4 messages

Is the same key used for authentication and encryption in WEP?

Yes, and the fact that the master key is used for both authentication and encryption is a known weakness.

What is the length of the WEP initialization vector (IV)?

24 bits

What is the major weakness in WEP, exploited by the PTW attack used in the lab?

Correlation between keystream and RC4 key

What is the problem with the WEP authentication protocol (which is therefore rarely used in practice)?

It leaks keystream

Which stream cipher is used for WEP encryption?

Which encryption algorithm is used in WEP?

RC4 stream cipher.

What is ARP re-injection used for in the attacks on WEP?

To obtain fresh initialization vectors

What is the consequence of the PTW attack on WEP?

Long term secret key compromise

What are the consequences of the fragmentation attacks, e.g., by Bittau et al.?

One can transmit arbitrary WEP data without knowing the key.

WPA

Does WPA support TKIP, CCMP or both?

WPA supports only TKIP.

How does the counter mode operation of a block cipher E() work?

E(i) XOR Mi

How is the PMK distributed in RSN?

It can be pre-shared or distributed by an upper layer.

What are the input elements to the pseudo-random function used to compute the PTK?

Master Key (256 bit)

Nonce A

Nonce B

Address A

Address B

What is Michael in WPA/RSN?

A message integrity code used in TKIP

What is an RC4 weak key?

A weak key is a key where a disproportionate number of bits in the first few bytes of the key stream were determined by a few bites in the key itself. One can negate weak keys by discarding the first 256 bytes of the keystream.

What is an RSN group key?

Messages that is multicasted to all devices is encrypted with a group key allowing all authenticated devices to decrypt the message.

WPS

How many messages are exchanged in the WPS in-band registration protocol?

8

What is the purpose of the first two messages of the WPS in-band registration protocol?

Diffie-Hellman key exchange

Which three entities participate in the WPS configuration process?

Enrollee, Access Point, Registrar

CCMP

Does CCMP provide confidentiality, integrity, or both?

CCMP uses CCM that combines CTR for data confidentiality and CBC-MAC for authentication and integrity.

How is IEEE 802.11 CCMP nonce input constructed?

It is constructed from the priority, sender MAC address and sender packet number.

How is the counter in CCMP initialized?

How is the 128 bits start value of the counter for CCMP encryption initialized in RSN?

The counter is initialized by adding the flag value, nonce and counter together. The counter starts at 1 and increments by one for every block.

How is the 64-bit message integrity code (MIC) value in CCMP derived from the 128-bit final block?

We only keep the lower 64 bits.

How long is the PTK when CCMP is used?

384 bit.

How long is the CCMP header, and how long is the packet number contained in this header?

The CCMP header is 8 bytes, packet number contained in the header is 6 bytes.

Is the complete MAC PDU encrypted by the CCMP?

No, the MAC header and the CCMP header are not encrypted

The PTK is a collection of several keys. List these keys and their length when CCMP is used:

4-way handshake keys:

EAPOL Authentication - key confirmation key 128bit

EAPOL Encryption - key encryption key 128bit

CCMP data key

Data integrity and encryption 128bit

Total PTK length: 384 bit.

What are the five input values to the CCMP Decryption block?

Key, Data, Nonce, MIC, AAD

What are the four input values to the CCMP Encryption block?

CCMP header

Source address

Data length

MPDU data

What is a mutable field in CCMP?

A header field that is not integrity protected because it can be modified in transit

What is the 128-bit start value for RSN CCMP encryption?

8-bit flag, 104-bit nonce, and a 16-bit counter; where the nonce field contains an 8-bit priority value, the 48-bit source address, and the 48-bit packet number

What is the format of the first block used for the CBC-MAC computation in CCMP?

The block is 16 bytes. The first byte is a flag, the 13 following are a nonce that is formed by combining sender packet number, MAC address and priority, and the last two bytes indicate the length of the plaintext data.

Which block cipher mode of operation is used for AES in RSN?

Counter mode with cipher block chaining message authentication code

Which cryptographic algorithm is used by CCMP?

AES

Which cryptographic algorithm is used in counter mode with cipher block chaining message authentication code protocol in CCMP?

AES (?)

Which parts of an MPDU encrypted under CCMP are not encrypted?

MAC header fields and CCMP header fields

TKIP

How long is the IV used in TKIP?

48 bit.

How long is the PTK when TKIP is used?

512bit (128 bit, four keys)

How many TKIP sequence numbers does a receiver keep track of?

1?

Is they MIC key be recovered in the attack on TKIP by Beck & Tews?

Beck and Tews recovered the MIC in their attack, and used it to transmit some packets.

The PTK is a collection of several keys. List these keys and their length when TKIP is used:

Data encryption key - 128 bit

Data integrity key - 128 bit

EAPOL-Key Encryption key - 128 bit

EAPOL-Key Integrity Key - 128 bit

What are the consequences of the chopchop-like attack on TKIP by Beck & Tews?

An attacker can get responses to packets sent with partly guessed content (It is possible to decrypt plaintext without knowing the key)

What properties of TKIP are exploited in the chopchop-like attack on TKIP by Beck & Tews?

The Kc key is originally intended to be used as an encryption key over the air interface, but in this protocol, it is used for deriving keying material and is not directly used.

What is the purpose of the EAPOL 4-way handshake?

Authenticated key agreement for session keys

What is the purpose of the first phase of PEAP?

Creating a TLS connection.

What is the purpose of the second phase of PEAP?

User authentication

Which identity does the EAP-Identity response in EAP-SIM contain?

The identity response is sent by the the mobile device as response of an Identity reqeust sent by the Access Point, so it contains the IMSI of the device (TMSI if is not the first time that this event occurs)

Which security method is used in the first phase of PEAP?

TLS

Mobile Communication

What is a call session control function (CSCF)?

A SIP proxy used in IMS

Which authentication method is used by IMS?

UMTS Authentication and Key Agreement (AKA)

Which CSCF handles SIP registration requests and informs the Home Subscriber Server (HSS)?

S-CSCF

Which UTRAN layer provides handovers, preparations for handovers to GSM and cell reselection?

RRC

Why is it a security requirement that the USIM implementation must be tamperproof?

Because the USIM can be removed from the UE and analyzed/ tampered with (?)

To facilitate the mobile operator with secure computation and storage at UE side.

Why is the UICC normally easily removable from the mobile station?

The UE manufacturing and lifecycle can be managed independently from the personalization and subscription process

GSM

Does GSM provide mutual authentication?

No, the SIM does not authenticate the network

What are the RAND, SRES and Kc values in an EAP-SIM triplet?

The A3/A8 authentication and key derivation algorithms that run on the SIM can be given a 128-bit random number (RAND) as a challenge. The SIM runs operator-specific algorithms, which take the RAND and a secret key Ki (stored on the SIM) as input, and produce a 32-bit response (SRES) and a 64-bit long key Kc as output. The Kc key is originally intended to be used as an encryption key over the air interface, but in this protocol, it is used for deriving keying material and is not directly used.

Does the use of TMSIs protect the IMSI from active attackers?

No.

What are the inputs of the authentication function A3 used in GSM?

$K_i$, RAND

What is the output of the authentication function A3 used in GSM?

SRES/XRES (32 bit signed message)

How is the subscriber identity protected from radio channel eavesdropping in GSM?

How is the initial RRC connection request message sent in UMTS Security Setup Procedure?

When RRC Connection Establishment procedure is started, the last message, RRC Connection Setup Complete includes the UE Capability information. The UE Security capability informs the network about the UEAs and the UIAs that the UE supports. The GSM classmark information is also important and it provides along with other stuff, the GSM security algorithms supported. This message also has the START list that contains the START value for the CS and the PS domain.

In which mode of operation is KASUMI used for constructing the 3GPP f8 key stream generator?

Combining Counter-mode and OFB-mode

Sketch the 3GPP f8 stream cipher structure, using the KASUMI function as a black box.

Sketch the 3GPP f9 cipher structure, using the KASUMI function as a black box.

What is the 3GPP value OP, and what is the length of this value?

Optional pre shared key that the operators can use.

It’s probably 128 bit.

What is the bit length of the permanent subscriber key K in UMTS?

128 bit

Which values are sent from the AuC to the VLR/SGSN during 3G/UMTS authentication?

RAND, XRES, CK, IK, AUTN

Where is the sequence number (SQN) used in 3G/UMTS networks generated?

UE and AuC (?)

What is the block size of the KASUMI function used by the f8 algorithm?

64 bits

What is the output of the UMTS $f_9$ algorithm?

32 bit MAC-I

What is the purpose of the sequence number (SQN) used in 3G/UMTS networks?

Preventing replay attacks

What kind of cipher is KASUMI?

A5/3 (Feistel cipher)

Where are the UMTS functions f1-f5, f1 and f5 implemented?

USIM and AuC

What is the block length of the block cipher used by MILENAGE?

Up to the operator. AES is recommended which uses block sizes of 128 bit. (?)

Which cipher mode does the 3GPP f8 stream cipher use?

OFB with additional counter.

What was the underlying assumption for the MILENAGE security analysis?

The kernel function must be a secure block cipher.

Why can the USIM be removed from the rest of the UE?

The UE manufacturing and lifecycle can be managed independently from the personalization and subscription process.

Why must the USIM implementation be tamper-proof?

To facilitate the mobile operator with secure computation and storage at the UE side

How does the EPS authentication improve the security over the 3G/UMTS authentication?

Cannot downgrade to GSM.

Does a successful run of EPS authentication achieve mutual authentication between mobile station and serving network?

How is backward key separation achieved during handovers over X2 connections in EPS?

The source eNB applies a one-way function to the key before transmitting it to the target eNB

How is forward key separation achieved during handovers over X2 connections in EPS?

The target eNB receives a fresh key from MME immediately after handover

How is the EPS key derivation function constructed?

HMAC-SHA256

The end points of the user data encryption in EPS are

The UE and the eNB

What are the end points of signalling encryption in the EPS access stratum?

The UE and the eNB

What are the end points of signalling integrity in the EPS non-stratum access?

UE and MME

Is the network domain security for the core network sufficient to protect the UMTS/LTE authentication and key agreement messages against parallel session attacks?

No, the network domain services does not necessarily protect against parallel session attacks.

Which values are sent from the HSS to the MME during the LTE/EPS authentication protocol?

RAND

AUTN

XRES

Kasme

Where does the key derivation function KDF of EPS reside?

In the UICC and the HSS

What is cryptographic network separation (in EPS)?

The derived keys are specific to the serving network

Why is the NAS Security Mode Command message in EPS never encrypted?

The messages are sent before encryption keys have been established.

They are Integrity protected.

What is Snow 3G and why is it used in UMTS and EPS?

Stream cipher. Is good stuff.

Will 3G USIMs work with EPS UE handsets?

Yes, because the ME computes the EPS keys

Which encryption schemes are specified in EPS?

SNOW and AES

Why are the keys CK & IK generated in EPS even though they are not directly used?

To provide backward compatibility with UMTS, and they are used in the KDF function to generate Kasme.

Why does EPS provide a more complex key hierarchy than UMTS and GSM?

To support cryptographic key separation and enable more frequent key renewal

Sundry

What is the Rijndael algorithm?

AES-encryption. Symmetric encryption algorithm.

Can a keyed checksum be used as message authentication code?

Yes.

Does breaking collision resistance of a hash function imply breaking pre-image resistance or the other way around?

No but the other way around (?)

Does breaking collision resistance of a hash function imply breaking second pre-image resistance or the other way around?

Does EPID have a mechanism for key revocation?

Yes, using a revocation list

What are the entities in EPID?

Issuer + revocation manager (often merged)

Member

Verifier

How can one show that P $\neq$ NP if one can prove the existence of one-way functions.

Why is it not sufficient to base the construction of a one-way function f on an NP-hard problem (i.e. Where inverting f requires solving an NP-hard problem)?

NP-hardness only guaranties that there exists one value that is NP hard to compute.

How to solve the potential malicious traffic discovery problem in WIDS?

Intuitively, what does it mean for a message authentication code to be 'existentially unforgeable against chosen message attacks'?

What is the difference between a stream cipher and the one-time pad?

Is a stream cipher as secure as the one-time pad?

No. A stream cipher is bound to repeat at some point , while a OTP never repeats. If you could generate a stream cipher with a truly random output, it could be used as a OTP.

Is a stream cipher malleable?

Yes, but you need to make all changes at both the sender and receiver.

Is the CBC-MAC a secure message authentication code if the IV is constant 0 ?

Yes

What are the advantages of the counter mode of encryption, e.g., in comparison to the CBC mode?

CTR allows for parallel encryption and errors do not propagate to the next block.

What are the general steps performed by intrusion detection systems for mobile ad-hoc networks?

Data collection

Detection

Response

What are the problems with Intrusion Detection System in real life?

What is the problem with MAC Sequence Number Analysis in Intrusion Detection Systems?

Each class in QoS has its own sequence number. An attacker can hijack the session when a user goes offline as well.

What are the two main security functionalities of a smart card?

Key Strength

Authentication

(?)

What is Internet Key Exchange?

Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE uses X.509 certificates for authentication - either pre-shared or distributed using DNS (preferably with DNSSEC) and a Diffie–Hellman key exchange - to set up a shared session secret from which cryptographic keys are derived. In addition, a security policy for every peer which will connect must be manually maintained

What is lawful interception?

Wiretapping of private communication requested by a law enforcement agency

What is the difference between a checksum and a cryptographic message authentication code?

A checksum can be (re-)computed by an attacker, the authentication code cannot

What is the difference between a smart card and a SIM?

SIM is a subset of smart cards

What is the main difference between wired and wireless Intrusion Detection Systems in terms of functionality?

You can physically protect wired points.

People can set up their own AP and abuse man in the middle

What is the purpose of the EPID join procedure?

To assign a private key to a device

Which part of IEEE 802.16 MAC PDU is encrypted?

Only payload (?)

Can the security header in MAPsec be encrypted? Why/why not?

No. The MAPsec header must be processed at the receiving end.

2017 Specific

EMV Contactless

Which of the following is a security concern in EMV Contactless Payment?

Eavesdropping, Unauthorized Activation, Relaying and Pre-Play Attacks

What is the Frame Waiting Time (FWT)?

The maximum time between data sent by the reader and the response returned by the card

5G Long Term ID

How can the long-term user identity be protected in case of an Identity Request?

With a pseudonym or asymmetric cryptography

How can public key cryptography be used to protect the IMSI?

Encrypt the IMSI with the public key of the receiver, and the receiver will use the corresponding private key to decrypt the IMSI. Could be with either Certificate Based Public-key Cryptography or Identity Based Encryption.

Which of the following is a drawback with respect to the usage of public key cryptography for protecting the long-term identity?

Key revocation

Key-distribution

Trust model

Performance overhead

Is TMSI a solution to protect the permanent identity IMSI?

Yes, but not a good one

What is the main challenge in protecting the long-term user identity in LTE networks?

IMSIs could be requested without an established security context to protect the confidentiality and integrity of the messages.

Guest Wlan

Is traffic in the Linksys guest network encrypted?

No

Which of the following is a vulnerability in Linksys Guest Mode?

Which of the following is a security concern with respect to the Linksys Guest Mode password?

The Guest network does not support a secured wireless network such as WPA2

Default password BeMyGuest

Captive portal over HTTP

What is client isolation?

A security feature that prevents peer-to-peer attacks on a LAN. Whith this feature, clients may not communicate with other clients.

What is the length of a normal, encrypted keyboard packet from Logitech wireless keyboards? Wireless keyboards

22 bytes long

EAP-NOOB

What is the main challenge for connecting IoT devices to 802.11i Enterprise networks? EAP-NOOB

Lack of UI

What is the most significant difference between EAP-NOOB and other available EAP methods? EAP-NOOB

Unlike any other EAP methods currently available, EAP-NOOB does not assume or require
any pre-con gured authentication credentials such as symmetric keys or certi cates.

Is EAP-NOOB vulnerable to MiTM attacks on the Diffie-Hellman key agreement? EAP-NOOB

EAP-NOOB use user-assisted out-of-band (OOB) to protect against MiTM attacks. MiTM attacks are not easy and would often require phisical access to the supplicant to either modify or spoof the OOB message.

Which of the following statements is a security assumption for EAP-NOOB? EAP-NOOB

Why does an EAP-NOOB execution span multpiple EAP sessions? EAP-NOOB

Which generic NAI string is used by the client in EAP-NOOB? EAP-NOOB

What are the states in the EAP-NOOB state machine? EAP-NOOB
Unregistrered
, Waiting for OOB
, Recived OOB
, Reconnecting
, registrered.